Malicious PDF — malware analysis report

Static analysis result for SHA-256 39281f982a3d763d…

MALICIOUS

PDF

2.6 KB
MD5: 58354647f9d3e626c54fadf3f56a33f4 SHA-1: ab366b111d9f7fb2281686ce8a4329ac72f4a05a SHA-256: 39281f982a3d763d0ed0b6b092a7b731b531c701262b8b3f63b53816eca9c0f9
226 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information T1204.002 Malicious File: Malicious File

The PDF file contains obfuscated JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, PDF_EVAL, and PDF_UNESCAPE. The critical heuristic PDF_ANNOT_SUBJECT_MARKER_EVAL_STAGER suggests a stager mechanism within the annotation subject. The presence of deobfuscated JavaScript further supports the execution of malicious code. ClamAV detection confirms the malicious nature of the file, identifying it as Pdf.Exploit.Agent-35912, likely a downloader or exploit loader.

Heuristics 8

  • Annotation subject percent-decoding eval stager critical PDF_ANNOT_SUBJECT_MARKER_EVAL_STAGER
    OpenAction JavaScript forces annotation enumeration, reads an annotation /Subject payload with getAnnots(), rewrites marker bytes into percent escapes, decodes it with unescape(), and dispatches it through eval. This is a high-confidence exploit-kit staging pattern. It is intentionally not mapped to CVE-2009-1492 unless getAnnots() itself carries the crafted integer or long argument shape for that vulnerability.
  • ClamAV: Pdf.Exploit.Agent-35912 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35912
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (matched in decompressed stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
7218a1c68060953321573daa035b16f5f32928ce25a9eb656690dbe78cd9464e		 pdf-javascript-stream PDF /JS object 7 at offset 0x1A2 201 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
deobfuscated.js
f1aff9721e787cb0112877a1aba979ba89508bad9a891abae1918ee2e46401ac		 deobfuscated-js PDF JavaScript deobfuscation pass 1634 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.